Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-09 03:15:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1139297 - Implement CSP upgrade-insecure-requests directive - cors tests (r=smaug)

Browse Source 
--HG--
extra : rebase_source : 59ab74d90890d6756de82b64808ff35a947f0c2c
This commit is contained in:
Christoph Kerschbaumer 2015-07-10 09:17:17 -07:00
parent bf74850156
commit 69eba2fa6a
4 changed files with 201 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
dom/security/test/csp/file_upgrade_insecure_cors.html Normal file
View File

@ -0,0 +1,49 @@
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
</head>
<body>
<script type="text/javascript">
// === TEST 1
var url1 = "http://test1.example.com/tests/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs?test1";
var xhr1 = new XMLHttpRequest();
xhr1.open("GET", url1, true);
xhr1.onload = function() {
window.parent.postMessage(xhr1.response, "*");
};
xhr1.onerror = function() {
window.parent.postMessage("test1-failed", "*");
};
xhr1.send();
// === TEST 2
var url2 = "http://test1.example.com/tests/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs?test2";
var xhr2 = new XMLHttpRequest();
xhr2.open("GET", url2, true);
xhr2.onload = function() {
window.parent.postMessage(xhr2.response, "*");
};
xhr2.onerror = function() {
window.parent.postMessage("test2-failed", "*");
};
xhr2.send();
// === TEST 3
var url3 = "http://test2.example.com/tests/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs?test3";
var xhr3 = new XMLHttpRequest();
xhr3.open("GET", url3, true);
xhr3.onload = function() {
window.parent.postMessage(xhr3.response, "*");
};
xhr3.onerror = function() {
window.parent.postMessage("test3-failed", "*");
};
xhr3.send();
</script>
</body>
</html>

62
dom/security/test/csp/file_upgrade_insecure_cors_server.sjs Normal file
View File

@ -0,0 +1,62 @@
// Custom *.sjs file specifically for the needs of Bug:
// Bug 1139297 - Implement CSP upgrade-insecure-requests directive
function handleRequest(request, response)
{
// avoid confusing cache behaviors
response.setHeader("Cache-Control", "no-cache", false);
// perform sanity check and make sure that all requests get upgraded to use https
if (request.scheme !== "https") {
response.write("request not https");
return;
}
var queryString = request.queryString;
// TEST 1
if (queryString === "test1") {
var newLocation =
"http://test1.example.com/tests/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs?redir-test1";
response.setStatusLine("1.1", 302, "Found");
response.setHeader("Location", newLocation, false);
return;
}
if (queryString === "redir-test1") {
response.write("test1-no-cors-ok");
return;
}
// TEST 2
if (queryString === "test2") {
var newLocation =
"http://test1.example.com:443/tests/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs?redir-test2";
response.setStatusLine("1.1", 302, "Found");
response.setHeader("Location", newLocation, false);
return;
}
if (queryString === "redir-test2") {
response.write("test2-no-cors-diffport-ok");
return;
}
// TEST 3
response.setHeader("Access-Control-Allow-Headers", "content-type", false);
response.setHeader("Access-Control-Allow-Methods", "POST, GET", false);
response.setHeader("Access-Control-Allow-Origin", "*", false);
if (queryString === "test3") {
var newLocation =
"http://test1.example.com/tests/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs?redir-test3";
response.setStatusLine("1.1", 302, "Found");
response.setHeader("Location", newLocation, false);
return;
}
if (queryString === "redir-test3") {
response.write("test3-cors-ok");
return;
}
// we should not get here, but just in case return something unexpected
response.write("d'oh");
}

4
dom/security/test/csp/mochitest.ini
View File

@ -127,6 +127,8 @@ support-files =
file_upgrade_insecure_reporting_server.sjs
file_upgrade_insecure_referrer.html
file_upgrade_insecure_referrer_server.sjs
file_upgrade_insecure_cors.html
file_upgrade_insecure_cors_server.sjs
[test_base-uri.html]
[test_blob_data_schemes.html]
@ -189,3 +191,5 @@ skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolk
skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
[test_upgrade_insecure_referrer.html]
skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
[test_upgrade_insecure_cors.html]
skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'

86
dom/security/test/csp/test_upgrade_insecure_cors.html Normal file
View File

@ -0,0 +1,86 @@
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<iframe style="width:100%;" id="testframe"></iframe>
<script class="testbody" type="text/javascript">
/* Description of the test:
* We load a page serving two XHR requests (including being redirected);
* one that should not require CORS and one that should require cors, in particular:
*
* Test 1:
* Main page: https://test1.example.com
* XHR request: http://test1.example.com
* Redirect to: http://test1.example.com
* Description: Upgrade insecure should upgrade from http to https and also
* surpress CORS for that case.
*
* Test 2:
* Main page: https://test1.example.com
* XHR request: http://test1.example.com
* Redirect to: http://test1.example.com:443
* Description: Upgrade insecure should upgrade from http to https and also
* prevent CORS for that case.
* Note: If redirecting to a different port, then CORS *should* be enforced (unless
* it's port 443). Unfortunately we can't test that because of the setup of our
* *.sjs files; they only are able to listen to port 443, see:
* http://mxr.mozilla.org/mozilla-central/source/build/pgo/server-locations.txt#98
*
* Test 3:
* Main page: https://test1.example.com
* XHR request: http://test2.example.com
* Redirect to: http://test1.example.com
* Description: Upgrade insecure should *not* prevent CORS since
* the page performs a cross origin xhr.
*
*/
const CSP_POLICY = "upgrade-insecure-requests; script-src 'unsafe-inline'";
var tests = 3;
function loadTest() {
var src = "https://test1.example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";
// append the file that should be served
src += escape("tests/dom/security/test/csp/file_upgrade_insecure_cors.html")
// append the CSP that should be used to serve the file
src += "&csp=" + escape(CSP_POLICY);
document.getElementById("testframe").src = src;
}
function checkResult(result) {
if (result === "test1-no-cors-ok" ||
result === "test2-no-cors-diffport-ok" ||
result === "test3-cors-ok") {
ok(true, "'upgrade-insecure-requests' acknowledges CORS (" + result + ")");
}
else {
ok(false, "'upgrade-insecure-requests' acknowledges CORS (" + result + ")");
}
if (--tests > 0) {
return;
}
window.removeEventListener("message", receiveMessage, false);
SimpleTest.finish();
}
// a postMessage handler that is used to bubble up results from
// within the iframe.
window.addEventListener("message", receiveMessage, false);
function receiveMessage(event) {
checkResult(event.data);
}
SimpleTest.waitForExplicitFinish();
loadTest();
</script>
</body>
</html>